book

Applied Network Security Monitoring

by Chris Sanders, Jason Smith

November 2013

Beginner

496 pages

14h 23m

English

Syngress

Read now

Unlock full access

Cover image
Title page
Table of Contents
Copyright
Dedication
Acknowledgements
About the Authors
Chris Sanders, Lead AuthorJason Smith, Co-AuthorDavid J. Bianco, Contributing AuthorLiam Randall, Contributing Author
Foreword
Preface
AudiencePrerequisitesConcepts and ApproachIP Address DisclaimerCompanion WebsiteCharitable SupportContacting Us
Chapter 1. The Practice of Applied Network Security Monitoring
AbstractKey NSM TermsIntrusion DetectionNetwork Security MonitoringVulnerability-Centric vs. Threat-Centric DefenseThe NSM Cycle: Collection, Detection, and AnalysisChallenges to NSMDefining the AnalystSecurity OnionConclusion

Section 1: Collection
Chapter 2. Planning Data Collection
AbstractThe Applied Collection Framework (ACF)Case Scenario: Online RetailerConclusion
Chapter 3. The Sensor Platform
AbstractNSM Data TypesSensor TypeSensor HardwareSensor Operating SystemSensor PlacementSecuring the SensorConclusion
Chapter 4. Session Data
AbstractFlow RecordsCollecting Session DataCollecting and Analyzing Flow Data with SiLKCollecting and Analyzing Flow Data with ArgusSession Data Storage ConsiderationsConclusion
Chapter 5. Full Packet Capture Data
AbstractDumpcapDaemonloggerNetsniff-NGChoosing the Right FPC Collection ToolPlanning for FPC CollectionDecreasing the FPC Data Storage BurdenManaging FPC Data RetentionConclusion
Chapter 6. Packet String Data
AbstractDefining Packet String DataPSTR Data CollectionViewing PSTR DataConclusion
Section 2: Detection
Chapter 7. Detection Mechanisms, Indicators of Compromise, and Signatures
AbstractDetection MechanismsIndicators of Compromise and SignaturesManaging Indicators and SignaturesIndicator and Signature FrameworksConclusion
Chapter 8. Reputation-Based Detection
AbstractPublic Reputation ListsAutomating Reputation-Based DetectionConclusion
Chapter 9. Signature-Based Detection with Snort and Suricata
AbstractSnortSuricataChanging IDS Engines in Security OnionInitializing Snort and Suricata for Intrusion DetectionConfiguring Snort and SuricataIDS RulesViewing Snort and Suricata AlertsConclusion
Chapter 10. The Bro Platform
AbstractBasic Bro ConceptsRunning BroBro LogsCreating Custom Detection Tools with BroConclusion
Chapter 11. Anomaly-Based Detection with Statistical Data
AbstractTop Talkers with SiLKService Discovery with SiLKFurthering Detection with StatisticsVisualizing Statistics with GnuplotVisualizing Statistics with Google ChartsVisualizing Statistics with AfterglowConclusion
Chapter 12. Using Canary Honeypots for Detection
AbstractCanary HoneypotsTypes of HoneypotsCanary Honeypot ArchitectureHoneypot PlatformsConclusion
Section 3: Analysis
Chapter 13. Packet Analysis
AbstractEnter the PacketPacket MathDissecting PacketsTcpdump for NSM AnalysisTShark for Packet AnalysisWireshark for NSM AnalysisPacket FilteringConclusion
Chapter 14. Friendly and Threat Intelligence
AbstractThe Intelligence Cycle for NSMGenerating Friendly IntelligenceGenerating Threat IntelligenceConclusion
Chapter 15. The Analysis Process
AbstractAnalysis MethodsAnalysis Best PracticesIncident Morbidity and MortalityConclusion
Appendix 1. Security Onion Control Scripts
High Level CommandsServer Control CommandsSensor Control Commands
Appendix 2. Important Security Onion Files and Directories
Application Directories and Configuration FilesSensor Data Directories
Appendix 3. Packet Headers
Appendix 4. Decimal / Hex / ASCII Conversion Chart
Index

Content preview from Applied Network Security Monitoring

Chapter 10

The Bro Platform

Abstract

NSM is all about bringing network data together to provide context for detection and analysis. Most NSM systems already integrate the “big three” sources (IDS alerts, session data, full packet capture data), but as we’ve already seen in this book, these are not the only data sources you can use. One particularly rich source of this data is Bro. This chapter will provide a review of the Bro architecture, the Bro language, and several practical cases that demonstrate the truly awesome power of Bro as an IDS and network logging engine.

Keywords

Network Security Monitoring; Bro; IDS; Darknet; Log; Notice; File Carving

Chapter Contents

Basic Bro Concepts

Running Bro

Bro Logs

Creating Custom Detection Tools with ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

The Practice of Network Security Monitoring

Publisher Resources

ISBN: 9780124172081

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Applied Network Security Monitoring

by Chris Sanders, Jason Smith

The Bro Platform